Should I avoid "include" SPF tags for SaaS when using DMARC?

I’ve watched three bootcamp DMARC videos (one, two, three), but this is still not totally clear to me.

Here’s what I’m thinking might be a possible attack vector if I set everything properly: SPF, DKIM and DMARC. Let’s say I’m using some SaaS like MailChimp to send emails, they give me “include:spf.mailchimp.com” (I’m making this up) and DKIM keys or CNAME for DKIM. I also set up DMARC with a reject policy. Looks like I’m spoofing-proof.

But if an attacker somehow convinces that same SaaS (it’s easy to see which ones we’re using by checking DNS) to use our @legitcompany.com email address (for example if they don’t do email verification when setting up), then they can easily send emails that look legitimate from our email address, right? This is because DMARC will succeed if either SPF or DKIM succeed.

So I’m thinking. Either I need to be sure that that SaaS does verify email ownership before sending from that email address or maybe I just don’t use their SPF settings and just use DKIM.

What’s your take on that?

You definitely need to make sure that the SaaS verifies email ownership. Majority require that you implement the required DNS records and then come back to validate the domain. Their way of validating domain ownership.

In case they don’t do that (I’m gonna have to do an audit of all our providers), should I remove their include from SPF and just use DKIM?

It shouldn’t hurt to do that. Just make sure the DKIM is working 100% of the time.